Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
APT-C-20 Hackers Use PNG Images to Deliver Fileless C# Backdoor
July 8, 2026
PromptSpy Android Malware Leverages Google Gemini for Adaptive Attacks
July 8, 2026
ClickFix Phishing Campaign Targets Mexican Bank Customers With Fake Google Verification
July 8, 2026
Home/Threats/ClickFix Phishing Campaign Targets Mexican Bank Customers With Fake Google Verification
Threats

ClickFix Phishing Campaign Targets Mexican Bank Customers With Fake Google Verification

Key Takeaways A new phishing campaign, dubbed REF6045, is actively targeting Mexican bank customers using a fake Google verification page. The attackers employ the ClickFix technique, tricking...

Sarah simpson
Sarah simpson
July 8, 2026 4 Min Read
2 0

Key Takeaways

  • A new phishing campaign, dubbed REF6045, is actively targeting Mexican bank customers using a fake Google verification page.
  • The attackers employ the ClickFix technique, tricking victims into executing a command that installs the SCMBANKER malware.
  • SCMBANKER is designed for real-time banking fraud, allowing human operators to monitor sessions, redirect users, and steal financial data.
  • The campaign targets a wide range of financial services within Mexico, including retail banks, fintech, and cryptocurrency exchanges.
  • Attackers are leveraging open-source tools and potentially Large Language Models (LLMs) to construct their malware, reducing the need for advanced coding skills.

Sophisticated Phishing Leverages Fake Google Verification for Banking Fraud

A new and highly interactive phishing campaign, identified as REF6045, is actively compromising Mexican bank customers through a deceptive Google verification page. This operation deploys a specialized malware toolkit, named SCMBANKER, which is engineered not merely for data exfiltration but for direct, operator-assisted financial fraud.

Table Of Content

  • Key Takeaways
  • Sophisticated Phishing Leverages Fake Google Verification for Banking Fraud
  • Operator-Assisted Fraud and Malware Capabilities
  • The Infection Chain: From Fake CAPTCHA to Full Compromise
  • What You Should Do

The campaign employs a well-known tactic, often referred to as “ClickFix,” where unsuspecting victims are socially engineered into copying and executing a malicious command. This seemingly innocuous action initiates a multi-stage infection process, granting attackers significant control over the compromised system. Once established, the threat actors can monitor banking sessions, manipulate user interactions, and redirect victims towards fraudulent phone scams or additional phishing sites.

This operation is particularly notable due to the presence of a human operator who dynamically assesses each victim’s session and escalates the attack as opportunities for financial exploitation arise. The SCMBANKER malware family itself has been traced back to at least October 2025, with Elastic telemetry first detecting active infections in June 2026. The scope of its targeting within Mexico’s financial sector is extensive, encompassing traditional retail banks, business banking platforms, various fintech services, payment processors, cryptocurrency exchanges, investment platforms, SAT services, and even telecommunication providers.

Elastic Security Labs researchers were the first to identify and detail this campaign. In a report shared with Cyber Security News (CSN), Elastic stated that the attackers utilize the fake verification pages to install their toolkit, subsequently transforming infected machines into conduits for real-time financial abuse. While the initial infection vector may appear unsophisticated, the overall campaign is meticulously designed for rapid monetization once a target accesses a valuable financial service.

Operator-Assisted Fraud and Malware Capabilities

A distinguishing characteristic of the REF6045 campaign is the high degree of post-compromise control maintained by the attackers. Their capabilities extend beyond passive data collection, allowing them to:

  • Capture screenshots of the victim’s desktop.
  • Force browser redirects to malicious phishing pages.
  • Implement “vishing” overlays, prompting victims to call fraudulent support numbers.
  • Hijack the clipboard to replace legitimate payment details with attacker-controlled accounts.
  • Lock the victim’s screen with fake security warnings.
  • Deploy commercial remote access tools for complete hands-on control of the infected system.

Elastic’s analysis also revealed evidence suggesting that large language models (LLMs) may have been used to generate significant portions of the malware’s code. This indicates a trend where cybercriminals are leveraging AI to lower the barrier to entry for developing sophisticated features without requiring extensive programming expertise.

The Infection Chain: From Fake CAPTCHA to Full Compromise

The attack commences with a fraudulent CAPTCHA or verification page, often presented in Spanish and mimicking legitimate Google security prompts. After successfully navigating this deceptive challenge, the page automatically copies a malicious command to the victim’s clipboard. This command, when executed by the victim, downloads and pipes a first-stage script directly into the Windows command shell.

The initial script then triggers a fake Windows Update screen, designed to pressure the victim into granting administrator privileges. During this process, the mouse cursor is temporarily trapped, preventing user interaction. Concurrently, the bitsadmin utility is used to download the full SCMBANKER toolkit into the public user directory, completing the initial infection.

Elastic identified multiple related delivery sites and file servers exhibiting identical patterns, suggesting the reuse of the same attack infrastructure across various deployments. Furthermore, the attackers demonstrated poor operational security, with exposed directories, a leaked web root archive, and an unauthenticated editor linked to live targeting files. This oversight provides valuable intelligence for defenders.

For cybersecurity professionals, these findings underscore the importance of vigilant monitoring for unusual PowerShell activity, bitsadmin downloads, suspicious usage of Windows Run, and scripts originating from atypical directories. These indicators can signal an early stage of compromise before the financial fraud begins. Crucially, user education remains a vital defense, as the entire attack hinges on the victim’s willingness to trust and manually execute the malicious prompt.

What You Should Do

  • Educate Users: Conduct regular training on phishing awareness, emphasizing the dangers of executing unknown commands or clicking suspicious links, even those disguised as legitimate security prompts.
  • Monitor PowerShell Activity: Implement robust monitoring for suspicious PowerShell commands, especially those involving downloads or unusual script execution.
  • Detect Bitsadmin Usage: Watch for instances of bitsadmin being used to download files from external sources, particularly to sensitive directories.
  • Scrutinize Windows Run and Script Execution: Monitor for unusual commands executed via Windows Run and scripts launched from non-standard user directories.
  • Implement DNS Filtering: Block access to known malicious domains and IP addresses associated with the REF6045 campaign, including those listed in the IoCs below.
  • Deploy Endpoint Detection and Response (EDR): Utilize EDR solutions to detect and prevent the execution of malicious components and to identify post-compromise activities like screenshot capture or remote access tool deployment.

Indicators of compromise (IoCs):-

Type Indicator Description
IPv4 68.211.161[.]46 ClickFix / file host
IPv4 216.250.112[.]100 ClickFix / file host
IPv4 185.242.246[.]169 REF6045 C2
Domain ratonvaquero2026[.]online ClickFix / file host <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/f7e3be5e-8b92-49b4-91dc-7fcc6d7c6b76/ClickFix-Campaign-Uses-Fake-Google-Verification-Page-to-Infect-Mexican-Bank

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarePatchphishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Lurking Lizard Malware Creates Proxy Nodes via Fake 7-Zip Installers

Next Post

PromptSpy Android Malware Leverages Google Gemini for Adaptive Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
DuckDuckGo Browser Uses Community Filter Lists to Block YouTube Ads
July 8, 2026
Critical RCE Flaw in Claude Desktop App Lets Attackers Execute Remote Code
July 8, 2026
CrowdStrike Reveals 5 New AI Prompt Injection Techniques
July 8, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us